I'm planning to implement a linux based firewall/router with at least 6 x 1Gb NIC's (network with ~300 computers/server with >=8 VLANs)

Can anybody recommend hardware best practices (reference to discussions/documents?) for such a design?

I have several books about linux firewalls but those are primarily oriented on the iptables++ rules, but there is nothing about hardware recommendations regarding processor choice (number of cores, speed, cache, vendor) RAM, disk/storage performance/configuration and other considerations while choosing NIC's.

3 Answers
3

Remember first of all that a failure of your firewall will have an impact on your entire network. From that perspective, you should either purchase extremely reliable server-grade hardware with redundant and hot-swap wear parts — or build a pair of machines, and use a protocol like CARP to control failover between them.

That said, the first critical choice regards network interface cards. Performance varies widely. I have been a fan of the Intel PRO series NIC's for ages. They are expensive, but they perform. Simple choice.

The next choice regards CPU. The number of CPU cycles per packet will depend highly on your firewall rules. If we're talking about the simplest possibility of a dozen rules with some state-keeping, the cheapest Core i5 will probably get the job done. But if you're approaching a hundred rule evaluations per packet, or plan to run proxies, network intrusion detection, heavy logging, or other such things, you will need more CPU power. How much more? The answer is to prototype and benchmark.

For a network firewall, any new Intel dual-core hardware (Core i3) will do, even at 6x 1 Gbit/s. For an application firewall, I'd recommend a quad core (Core i5). 4 GB RAM will be enough for both uses. Disk storage doesn't matter, but you need at least 5 GB. For network cards I'd recommend Intel or Broadcom NIC that support interrupt coalescence on Linux. I don't recommend buying from a HW vendor like IBM, HP, Dell as you will overpay. Just buy the components and assemble it yourself if the shop won't assemble it for you.